Duane Morris Takeaway: The Duane Morris Class Action Defense Group is pleased to announce that attorneys Ryan Garippo and George Schaller have been selected as honorees of the inaugural class of Class Action Updates’ Premier Class Action Leaders of Tomorrow Award, which recognizes 12 exceptional rising stars under the age 40 “who are redefining the frontiers of class action litigation through innovative strategies, landmark victories, and unwavering commitment to justice on both sides of the bar. Selected from a highly competitive pool of nominations, their groundbreaking work promises to inspire the next generation of litigators and fortify the pillars of the legal system.”
Kudos to Ryan and George on this well-deserved accomplishment!
Duane Morris Takeaway:This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and senior associate Hayley Ryan with their analysis of a California federal court’s dismissal of an advertising technology (“adtech”) class action alleging violations of the federal Video Privacy Protection Act (“VPPA”), the California Invasion of Privacy Act (“CIPA”), and California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA”).
Jerry Maatman: Thank you for being here again. My name is Jerry Maatman, and welcome to the next episode of our podcast series entitled The Class Action Weekly Wire. Joining me today is Hayley Ryan. Thanks so much for joining the podcast.
Hayley Ryan: Great to be here, Jerry. Thanks for having me.
Jerry: Today, we’re going to dive into a very interesting decision, the dismissal of claims in a case entitled DellaSalla v. Samba TV. Can you give our listeners an overview of what this case was about?
Hayley: Absolutely, Jerry. The case was decided on October 30, 2025, by Judge Jacqueline Scott Corley in the U.S. District Court for the Northern District of California. In short, the plaintiffs were a group of smart TV owners who alleged that Samba TV’s advertising technology invaded their privacy and violated a handful of statutes, including the federal Video Privacy Protection Act, or the VPPA, and two California laws: the California Invasion of Privacy Act, or CIPA, and the Comprehensive Computer Data Access and Fraud Act, or CDAFA.
Jerry: Well, those of us in the class action space know that this is the new so-called “tort of the day,” with what are known as adtech privacy class actions, being filed across the United States with hundreds, if not thousands, of these sorts of lawsuits. To you, and I know you follow this area closely, what stood out about this particular ruling?
Hayley: Sure, what’s significant here is the court’s clear message. Privacy class actions can’t just rely on broad or vague allegations. The plaintiffs have to spell out exactly what information was allegedly disclosed, and why that disclosure would be considered highly offensive. That’s particularly important for the common law invasion of privacy claims that often accompany statutory ones.
Jerry: So, as I understand it, the gravamen of the claim was that the TV was intercepting viewing data, what you watched, when you watched it, and then tying that to some sort of ad targeting? Is that what this case was all about?
Hayley: Exactly, Jerry. They claimed that this kind of real-time data collection violated those privacy statutes and amounted to a common law invasion of privacy. But Samba TV pushed back, arguing that none of the California laws applied because the plaintiffs lived in North Carolina and Oklahoma, that the VPPA did not apply because Samba was not a videotaped service provider, and that there was nothing highly offensive about what was allegedly collected.
Jerry: As I read the opinion here, the court endorsed the defense positions and threw out the plaintiffs’ claims. Could you elaborate on the reasoning behind the court’s theories here?
Hayley: Sure. So, the court dismissed all claims. First, on the California statutes, the CIPA and CDAFA, the judge found that they simply do not apply extraterritorially. Because the alleged conduct occurred in North Carolina and Oklahoma, where the plaintiffs reside, and not in California, those claims were dismissed.
Jerry: That seems to be a very helpful gloss on those statutes, because almost all these companies operate in California, even though they may be headquartered in other states, and yet are hauled into court and sued over and over again in these California-based class actions.
Hayley: Yeah, it’s certainly a helpful clarification for companies in California who operate nationwide. And then on the VPPA claim, the court took a close look at the definition of a videotape service provider, which applies to entities engaged in the rental, sale, or delivery of pre-recorded video materials. The plaintiffs tried to stretch that definition, saying Samba TV’s software was part of the TV ecosystem that delivers videos.
Jerry: In essence, the court thought that was stretching the law too far and the parameters of the case just out of control.
Hayley: Right, so Judge Corley said Samba TV was not delivering video content, but that it was analyzing usage data. So, the VPPA did not apply, because collecting data about video watching is not the same as delivering video content itself.
Jerry: That, you know, actually makes good sense to me. What about the common law invasion of privacy claim? How did the judge interpret that and rule on that particular cause of action?
Hayley: Yeah, so this was probably the most interesting part of the opinion. The court found that the plaintiffs’ allegations were too vague because they failed to identify any specific shows or videos they watched. They did not describe what was supposedly private about the data, and they did not explain how tying it to an anonymized identifier was highly offensive. So, the court found that the plaintiffs did not plausibly allege a violation of privacy.
Jerry: That seems to be a very common sense reading of the law, because these cases come down to ‘my viewing data or my keystrokes were viewed, and therefore my privacy was violated.’ What do you think is the big takeaway from this decision for companies?
Hayley: So, I think that there are three main takeaways. First, plaintiffs can’t use state privacy laws like the CIPA and the CDAFA if they’re outside of California. Second, the VPPA doesn’t apply to analytics or adtech companies that merely collect viewing data. They have to actually deliver or sell video content. And third, for common law invasion of privacy claims, vague allegations just won’t cut it, and plaintiffs need specificity and a plausible showing of offensiveness.
Jerry: Seems to me that defendants are going to be citing this ruling in many of their briefs in the coming months in privacy and adtech-related class actions for the notion that tracking doesn’t equate to invasion or a viable cause of action.
Well, thanks for breaking down this decision and explaining it to our listeners, and thanks for your thought leadership in this area. Great to have you with us.
Hayley: Thanks, Jerry, and thanks, listeners. It was a pleasure to be here.
Duane Morris Takeaway:This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and senior associate Tyler Zmick with their analysis of a $12.1 million settlement resolving a BIPA class action following eight years of litigation.
Jerry Maatman: Thank you, loyal blog listeners and readers, for being here again for our next episode of the Class Action Weekly Wire. I’m Jerry Maatman, a partner at Duane Morris, and joining me today is my colleague, Tyler Zmick. Thanks so much for being on our podcast today.
Tyler Zmick: Great to be here, Jerry. Thank you for having me.
Jerry: Today, we’re diving into a recent class action settlement in Illinois under the Biometric Information Privacy Act, known as BIPA, and a case that centered around a dispute between 7,700 current and former employees of Speedway over biometric data collection. Last Wednesday, the court here in Chicago gave final approval to a class action settlement worth $12.1 million. Tyler, let’s break it down and give our listeners a quick overview of what this litigation was all about.
Tyler: Sure thing. So, this is actually one of the older BIPA class actions that was filed back in 2017 by a lead plaintiff named Christopher Howe. Mr. Howe alleged that Speedway, the convenience store and gas station, required its employees to scan their fingerprints to clock in and out of work without providing informed consent, which is required by the statute. And so, therefore, the lawsuit claimed that Speedway violated BIPA, and the statute, as we all know, requires companies to get written, informed consent from individuals before it collects their biometric data, including fingerprints or facial scans. And the plaintiff alleged that he never received any kind of explanation about the biometric collection, and did not provide any written consent.
Jerry: So, this is a classic BIPA case, kind of that got-you situation, where either you did or you didn’t provide informed consent to workers regarding the collection of their biometric data. But here, the settlement certainly is very significant from a monetary standpoint, and it follows on the heels of pretty extensive litigation, as you had mentioned, back to 2017. In your mind, what were some of the key turning points in the litigation that led to this settlement?
Tyler: Right, so, as you mentioned, getting to the settlement in this particular case was a very long journey. The case hit a major milestone last September of 2024, when the Northern District of Illinois denied Speedway’s motion for summary judgment and granted plaintiffs motion for class certification. In its summary judgment motion, Speedway had argued that the fingerprint scans used with the timekeeping system did not qualify as biometric data under BIPA, because they were just partial prints, not full fingerprints. The court rejected that argument, stating that partial fingerprints are still covered under the statute. And the court also dismissed Speedway’s argument that its potential damages, which ranged from $14.4 million to $72 million, were disproportionate to the harm, and therefore, a class could not be certified. The court basically said that, look, if a company’s misconduct is so extensive that the penalties may be high, that is still no excuse for a defendant to claim that its damages are so excessive just because it violated the statute that many times.
Jerry: Despite all that, Speedway, however, was able to settle the case for $12.1 million. What can you tell us from the public filings about the terms of the settlement?
Tyler: So, as you mentioned, Jerry, the settlement includes a $12.1 million settlement fund, which will be divided among the 7,700 class members who worked at Speedway gas stations in Illinois between 2012 and 2017. The class members will each receive an equal prorated share, minus administrative costs, attorneys’ fees, and incentive award for the class representative, and importantly—and this is somewhat noteworthy—the settlement includes an attorney fee award of $4.5 million for the plaintiffs’ counsel. The court approved that amount, saying that the amounts are reasonable given the complexity and length of the litigation.
Jerry: I know our listeners recognize your name for thought leadership in the BIPA area, probably knowing as much, if not more, about BIPA rulings and BIPA settlements than any attorney in the Chicago area. What is your take in terms of the value of the settlement, the amount of money that the plaintiffs were able to garner here, compared and benchmarked towards other BIPA-related settlements?
Tyler: In my opinion, this settlement is fairly typical of a large BIPA class action, especially one involving a fingerprint-based timekeeping system, which, is more straightforwardly biometric than maybe other fact patterns will present. But this is a typical settlement when you consider the risks and costs involved of continuing litigation and a potential appeal. As we’ve seen in this case, litigation can drag on for years, and there is a degree of unpredictability. So, in this case, for the plaintiff and class members, a $12.1 million settlement ensures that they get a large amount of compensation without any further risks, and without the expense of trial and potential appeal. And the fact that there were no objections to the settlement from class members is a strong indicator that the settlement was viewed as fair by those involved.
Jerry: Well, not unlike taxes, the cost of settlements and class action litigation keeps rising. What does this tell employers and companies dealing with BIPA-related litigation about the state of class action settlements in this area and what the plaintiffs’ bar is trying to do with BIPA-related settlements?
Tyler: Well, that’s a great question. BIPA class actions are not being filed to the extent that they have been filed in previous years. That being said, BIPA continues to be a major issue in Illinois, and we are still seeing many class actions come up under the statute. So, as always, companies that collect biometric data, or potentially biometric data, need to be very diligent about complying with the statute’s notice and consent requirements. And this case really highlights the significant financial risks that companies face if they fail to follow the law to the T, especially since damages for these older cases can be awarded per violation.
Jerry: In sum, what would you say are the key takeaways for companies doing business in Illinois from this settlement, and what are the takeaways and learning lessons that they ought to have about it?
Tyler: Employers, I would say the key takeaway is simple: make sure you’re getting informed written consent from employees before collecting any biometric data, ideally during onboarding, day one of an employee’s work with the company. That means explaining how the data will be used, stored, and deleted, and informing employees of any changes in company policies or procedures regarding biometric data.
Jerry: Well, thanks so much, Tyler. We’ll be watching this settlement and others, and in the upcoming Duane Morris Class Action Review to be published in the second week of January of 2026, you’ll be one of our featured authors with your analysis of the state of BIPA litigation and settlements throughout the year. So, thanks so much for joining us on the podcast, and for giving us your insights to this particular settlement.
Tyler: Thank you, Jerry. Thank you, listeners. It was a pleasure to be here.
Duane Morris Takeaway:This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jerry Maatman and Daniel Spencer with their analysis of a proposed $24.8 million settlement to resolve misclassification claims brought by delivery drivers in 2015.
Jerry Maatman: Thank you again for being here, our loyal blog readers and listeners, for our next episode of our weekly podcast series entitled The Class Action Weekly Wire. I’m Jerry Maatman, a partner at Duane Morris, and joining me today is my colleague, our newest partner, Daniel Spencer of our Los Angeles office. Welcome.
Daniel Spencer: Thanks, Jerry. Great to be here. I appreciate you having me.
Jerry: Today, we’re here to discuss a nearly 10-year settlement in the making in a case called Lawson v. Grubhub. Daniel, can you give us some background on the case and what the plaintiffs’ claims are all about?
Daniel: Absolutely. So, this case has been around for quite some time. It kicked off in late 2015 when a former Grubhub driver, Raef Lawson, filed a suit in California. He claimed Grubhub misclassified him and thousands of others in independent contractors when they were actually employees. Lawson brought his claims for unpaid overtime, failure to reimburse business expenses, and other violations of the California Labor Code. He also brought a representative claim under the California Private Attorneys General Act, and this set the stage for what turned into nearly 10 years of litigation.
Jerry: Let’s start with the first major ruling, a bench trial in 2017. What happened there?
Daniel: That’s correct. So, at the trial, the court ruled against Lawson, finding that he was an independent contractor and not an employee. The court concluded that Grubhub properly classified their drivers as independent contractors under the S.G. Borrello & Sons v. Department of Industrial Relations multi-factor test that was the law at the time. The original test evaluated how much control a potential employer had over the way a worker completed his assigned tasks. To determine whether a worker was classified as an employee or an independent contractor, there were multiple factors that an employer had to look to, such as whether the employee or worker provided the tools for the job, the duration of the working relationship. And Lawson appealed that decision to the Ninth Circuit.
Jerry: While things weren’t, complicated enough, in 2018, the California Supreme Court issued a ruling that replaced the Borrello test with what’s known as a stricter ABC test from the Dynamex v. Superior Court case. The ABC test was then later codified into law with passage of Assembly Bill 5 in 2019. What impact did those developments have on the pending appeal?
Daniel: So, while the AB5 bill was coming into law, Lawson’s appeal was stayed, and the California Supreme Court decided whether the Dynamex ruling would apply retroactively. In 2021, the Ninth Circuit vacated the earlier decision in favor of Grubhub and sent the case back to the district court. The district court was then instructed to determine whether the exemption under the ABC test applied, and if not, to apply the ABC test to the original case.
Jerry: So, we’re back in the lower federal court. What was the outcome? Was it any different than the original bench trial?
Daniel: It was, and the Ninth Circuit vacated the decision. The district court ruled that the plaintiff was actually an employee in 2023. Then, the district court determined that a Grubhub delivery driver is an employee and not an independent contractor for minimum wage and overtime claims under the ABC test.
Jerry: Can you explain to our listeners what the ABC test entails and measures?
Daniel: The ABC test is a three-part test that an employer must meet if they want to classify a worker as an independent contractor. The worker is only an independent contractor if they meet all three parts of the test. The first part is the worker has to be free from control and direction of the hirer in relation to the performance of the work, both under the contract and in fact. The worker also, under the second part, has to perform work that’s outside the usual course of the hirer’s business. And finally, the third factor is that the worker is customarily engaged in an independent, established trade or occupation or business of the same nature as the work performed by the hirer. Grubhub tried to show that an exemption to the ABC test applied, but the court disagreed, holding that Grubhub’s delivery drivers are necessary to Grubhub’s business, which makes sense. That made Lawson an employee. The court awarded Lawson minimal damage for his individual minimum wage claims but found that Grubhub was not liable for any overtime compensation because Lawson didn’t work any overtime hours.
Jerry: That’s quite a turn of events, but I understand Lawson wasn’t satisfied with the result, correct?
Daniel: No. And the parties ultimately agreed to settle the remaining claims under a deal that came together in April of 2024 Just before the remedies bench trial was set to begin, in August of this year, Lawson moved for preliminary approval of a $24.75 million settlement. That proposed class is about 60,000 drivers in California who use Grubhub for at least one delivery since December of 2014. Under the deal, each class member will get at least $25. The preliminary settlement includes a $100,000 service award for Lawson, $260,000 set aside for administration costs, and $2 million in PAGA penalties, most of which will go to the state.
Jerry: And I assume plaintiffs’ counsel is interested in garnering a third of that settlement of $24.75 million?
Daniel: Yes, approximately 33%, which is fairly standard in large class actions of this type, especially ones that drag on for nearly a decade, like this case. If the court grants preliminary approval, the deal will move forward into the notice phase, there will be an opportunity for people to object, and then there will be a final settlement and approval hearing.
Jerry: Well, that’s quite a journey. Dwight D. Eisenhower and the troops invaded Normandy on D-Day in lesser time than it took for this case to wind through the court system, but it’s certainly a cautionary tale for employers in general, and gig companies in particular, in terms of what sort of impact misclassification decisions can have in terms of the litigation setting.
Well, thanks, Daniel, for your debut appearance on the podcast, and for explaining this settlement and what it meant, both to the parties and to other employers. And thanks for our loyal blog listeners for being here. We’ll be watching this settlement closely in terms of the settlement approval process and bring you further PAGA and California-related class updates as they occur. So don’t forget to subscribe to our blog and to our weekly podcast series, and we’ll see you next time.
Daniel: Thanks, Jerry, it was a pleasure to be here.
By Alex. W. Karasik, Brian L. Johnsrud, and George J. Schaller
Duane Morris Takeaways: On October 13, 2025, California Governor Gavin Newsom, issued a written statement declining to sign Senate Bill 7 – called the “No Robo Bosses” Act (the “Act”). While the Act aimed to restrict when and how employers could use automated decision-making systems and artificial intelligence, Governor Newsom rejected the proposed legislation in terms of the Act’s broad drafting and unfocused notification requirements. Governor Newsom’s statement reflects an initial rebuttal to a wave of pending AI regulations as states wrestle with suitable AI guidance. Given the pro-employee tendencies of Governor Newsom and California regulators generally, this outcome is a mild surprise. Employers nonetheless should expect continued scrutiny of AI regulations before enactment.
This legislative activity surely sets the stage for what many believe is the next wave of class action litigation.
Overview Of SB 7: The “No Robo Bosses” Act
The Act was first introduced in December 2024. After several amendments, it was passed by the Senate Committee on September 23, 2025 for review and signature by Governor Newsom. The Act’s key proposals included prohibitions on employers solely using AI to make disciplinary or termination decisions, requiring human input for AI disciplinary or termination decisions, detailed advance notice requirements for use of AI in hiring or employment-related decisions, and post-notice requirements if an employer primarily relied on AI for disciplinary or termination decisions.
The Act focused on automated-decision making systems (“ADS”) and “employment-related decisions.” Under the Act, an ADS is defined as “any computational process derived from machine learning, statistical modeling, data analytics, or artificial intelligence that issues simplified output, including a score, classification, or recommendation, that is used to assist or replace human discretionary decision making and materially impacts natural personals.” With this definition, ADS incorporated a swath of technologies utilized by many employers such as call analytic tools, automated scheduling platforms, keystroke and computer monitoring software, and AI-based training programs. SB 7 also defined “employment-related decisions” as “any decision by an employer that materially impacts a worker’s wages, benefits, compensation, work hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job tasks, skill requirements, work responsibilities, assignment of work, access to work training opportunity, productivity requirements, or workplace health or safety.”
The Act also incorporated various pre-notice and post-notice requirements. Employers using an ADS system to make employment-related decisions (excluding hiring) would have been required to provide “pre-notice” at least 30-days before deploying an ADS, and 30-day notice to new hires for any ADS use. Similarly, the Act included “post-notice” provisions regarding post-notices when an employer relied on an ADS to make a discipline, termination, or deactivation decision, and to provide the impacted worker with notice at the time the employment decision is made. Both notices had requirements for the notice to be written in plain language, directed as a routine worker communication, and provided in an accessible format.
Violations under the “No Robo Bosses” Act included a proposed civil penalty of $500 per violation, with enforcement authority vested in the Labor Commissioner and public prosecutors of California. The proposed Act did not include a private right of action.
Governor Newsom’s Veto Of The Act
Governor Newsom’s veto of the Act centered on concerns of unspecified misuses of ADS technology and unfocused notification requirements. Governor Newsom did recognize the concerns associated with ADS in employment-making decisions but argued the Act’s “proposed solution fail[ed] to directly address incidents of misuse.” He also found that the restrictions embedded in the Act were broad and removed “a potentially valuable tool” when ADS systems are properly applied and properly employed. Governor Newsom’s critique of the Act demonstrates that the Act did not distinguish the benefits of ADS systems compared to risks associated with ADS use cases. Accordingly, Governor Newsom vetoed SB 7.
Implications Of The Veto
California employers do not have to mitigate their ADS systems yet based on Governor Newsom’s veto of SB 7, but given the Governor’s comments, its possible new legislation will be introduced to narrow the use of ADS systems in employment decisions. Governor Newsom’s veto of the Act further represents a growing concern among ADS systems and AI technologies legislative policies – namely that broad legislative efforts cannot efficiently or effectively address emerging technologies. While employers can expect other states may propound ADS and AI legislation in the context of employment decision-making, employers should consider that if the notoriously pro-employee State of California struck down legislation as overly broad and unfocused – it may take some time for other jurisdictions to determine how to finesse the legislative landscape.
Employers should continue to monitor federal developments in this area, as well. In July 2023, the federal “No Robot Bosses Act,” S.2419, was introduced in the Senate. While the bill has not been enacted, its provisions include similar limitations on the use of automated systems and would require human oversight before an automated decision is finalized.
Duane Morris Takeaway:This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associates Ryan Garippo and Andrew Quay with their analysis of a North Carolina federal court decision dismissing a data breach class action.
Jerry Maatman: Thank you, loyal blog listeners and readers, for joining us for this week’s episode of the Class Action Weekly Wire. I’m Jerry Maatman, a partner at Duane Morris, and joining me today are my colleagues Ryan Garippo and Andrew Quay. Thanks for being here.
Ryan Garippo: Thanks for having me, Jerry. Glad to be here.
Andrew Quay: Glad to be here, Jerry, thanks.
Jerry: Today, we’re going to dive into a ruling that came down in September from the Western District of North Carolina. The court dismissed a data breach class action in a lawsuit captioned Dougherty v. Bojangles Restaurants, Inc. What was this case about?
Ryan: Well, Jerry, this case stems from a data breach that allegedly hit Bojangles, the fast-food chain, in February of 2024. The company notified potentially affected individuals later that year. And in response, nine former employees filed a putative class action claiming that Bojangles failed to implement proper cybersecurity protections.
Andrew: The plaintiffs brought, really, a mixed bag of claims, including state tort claims, a claim under the North Carolina Unfair and Deceptive Trade Practices Act, others as well. The core issue at hand was whether they had standing under Article III of the Constitution to bring the lawsuit in federal court.
Jerry: In terms of harm, what were the plaintiffs alleging in terms of their so-called injury in fact?
Ryan: Well, that’s the key, Jerry. Alleging is the key fact there. Eight out of the nine plaintiffs did not allege that there was any actual misuse of their data. They claimed that they were harmed due to the possibility of future risks, such as identity theft, sales of their information on the dark web, increased spam calls, emotional distress, the value of their personal data going down in the future, but nothing that was actually affecting them right now.
Andrew: And the ninth plaintiff claimed he noticed fraudulent charges on his debit card, but crucially, he didn’t allege that he ever gave that card number to Bojangles as part of his employment. The court thereby determined that even if this fraudulent charge established an injury, that injury was not traceable to the data breach at hand.
Jerry: In terms of the analysis of the court, I know it leaned heavily on the U.S. Supreme Court’s seminal ruling in 2021 in TransUnion v. Ramirez, and that encapsulated a standing analysis. How did TransUnion impact the court in North Carolina in terms of its decision to ultimately dismiss this lawsuit?
Andrew: Well, in TransUnion, the named plaintiff on behalf of a putative class alleged that TransUnion, which is a credit reporting agency, violated the Fair Credit Reporting Act by failing to use reasonable procedures for placing a misleading alert in his credit file that labeled him as actually a potential terrorist, among other comparable threats. The Supreme Court held that only class members whose credit reports had actually been provided to third-party businesses had suffered concrete injury, that the mere existence of misleading alerts in one’s own credit file did not cause such an injury. So, if your data is compromised, but never actually used, maybe never even seen, you do not have a concrete injury.
Ryan: Yeah, and that’s exactly what happened here. The court said that the plaintiffs’ claims fell into the might-be-a-problem category, as opposed to the is already-a-problem category. So, in other words, if there wasn’t any actual type of misuse, such as someone attempting to open a credit card or steal their identity tied to the data breach. The court determined that the harm was just too speculative and dismissed the claims alleging fraudulent debt credit card usage as well, because as to that specific component, there was no allegation that it was actually traceable to Bojangles. So, either the plaintiffs had suffered no harm at all, or there was no traceability and failed on that prong in the alternative.
Jerry: It’s a very interesting outcome. Since the court never reached the underlying legal claims in terms of fault for the data breach, what does this mean for plaintiffs overall across the country in asserting injuries purportedly suffered in a data breach situation?
Andrew: The court ruled that every class member must show concrete injury, even at the pleading stage. And that’s a major procedural signal for future data breach class actions. Plaintiffs must show real-world harm, and if they can’t show actual misuse of data, or link that alleged misuse back to the defendant, courts should shut these cases down early, just like here.
Ryan: Yeah, and importantly, it gives defense counsel an important strategic roadmap – you can attack Article III standing. Now, here it was just for the named plaintiffs, but there’s language which suggests that this should be applied to the entire putative class, and which sort of harkens back to the Supreme Court’s dissent from denial of certiorari in LabCorp v. Davis, which hints at bigger questions about whether classes with uninjured class members can even be certified at all. Now, that issue was left for a different day, but here we’re not even going to get to see it because the court knocked this class action out at the pleading stage.
Jerry: Seems to me the Bojangles ruling certainly is a reminder that standing is anything but a formality and can be a very powerful tool by defense counsel and a corporation facing data breach class action litigation, a way to knock the socks off the lawsuit before you even get to the class certification issue, and gives the defendant, in these circumstances, a very strong argument for dismissal.
Well, those are great insights, Andrew and Ryan, and thanks for being with us today and breaking down the ruling, and thank you to our listeners for tuning in to this week’s episode of the Class Action Weekly Wire. As always, subscribe to our blog and stay tuned in for the latest trends in class action law.
Andrew: Thanks for having me on the podcast, Jerry, and thank you to our listeners.
By Gerald L. Maatman, Jr., Ryan T. Garippo, and Elizabeth G. Underwood
Duane Morris Takeaways: On October 6, 2025, in Salazar v. National Basketball Association, No. 22 Civ. 07935, 2025 WL 2830939 (S.D.N.Y. Oct. 6, 2025), Judge Jennifer L. Rochon of the U.S. District Court for the Southern District of New York dismissed a proposed digital privacy class action against the National Basketball Association (“NBA”) because the plaintiff failed to plausibly allege that the NBA disclosed personally identifiable information in violation of the Video Privacy Protection Act (“VPPA”). The district court reasoned that, following Second Circuit precedent, an “ordinary person” would not be able to identify the plaintiff’s video-watching habits from the alleged Pixel transmissions. Id. at *5. This ruling illustrates that district courts in the Second Circuit continue to interpret the phrase “personally identifiable information” contained within the VPPA narrowly, and that the uphill burdens that plaintiffs carry on adtech and VPPA claims against corporate defendants are continuing to grow steeper.
Case Background
In Salazar v. NBA, the plaintiff, Michael Salazar (“Plaintiff”) alleged that the NBA disclosed his personal information, including personal viewing information, to Meta, the owner of Facebook and Instagram, via Meta Pixel (a common form of advertising technology or “adtech”). Id. at *1–3. According to Plaintiff, Meta Pixel is “a snippet JavaScript code” that allows online businesses to “track visitor activity on their website.” Id. at *1. When Meta Pixel is activated, it supposedly tracks the visitors and the visitors’ actions, including the pages they visit and the buttons they click. Id. Plaintiff filed his suit against the NBA on September 16, 2022. Id. at *2. He claimed that he signed up for an online newsletter to register for NBA.com and then that he separately watched videos on the NBA’s website. Id. at *1. Plaintiff also alleged that after he watched videos on the NBA’s website, not in connection with his subscription to the newsletter, his video-watching history was sent to Meta without his permission via the undisclosed use of Meta Pixel on the NBA’s website. Id. at *5. In response, the NBA filed a motion to dismiss and argued that Plaintiff failed to plead that he was a consumer of goods and services within the meaning of the VPPA, because although he alleged that he viewed audio-visual content on the NBA’s website, he did not allege that he viewed the materials that he actually subscribed to but rather, separate, and free content that was offered elsewhere on the website. So, put differently, the content containing adtech was not the content that created his statutory standing to sue under the VPPA. Id. at *2.
The district court agreed with the NBA and granted its first motion to dismiss under Rule 12(b)(6). Plaintiff, however, appealed the decision to the U.S. Court of Appeals for the Second Circuit. On appeal, the Second Circuit agreed with Plaintiff, vacated the district court’s judgment, and remanded the case, finding that the plaintiff had “plausibly pleaded” that he was a consumer under the VPPA by alleging that he had subscribed to the NBA’s digital newsletter. Id. The Second Circuit reasoned that as long as the plaintiff was a “subscriber” under the meaning of the VPPA, he only needed to allege that he separately viewed audio-visual content offered by the defendant in order to state a valid claim. The Duane Morris summary of the Second Circuit’s decision is attached here which describes the opinion in more detail.
Notably, this decision was not the only time that Plaintiff raised these issues to an appellate court. In April, the U.S. Court of Appeals for the Sixth Circuit ruled against this exact same Plaintiff on the same issue, based on the argument that a plaintiff needed to subscribe to the audio-visual content he or she alleges was actually disclosed in order to have statutory standing to sue under the VPPA. Thus, the Sixth Circuit created the odd situation where this exact same Plaintiff, Michael Salazar, filed one lawsuit in New York where he had statutory standing and another in Tennessee where he did not. The Duane Morris summary of the Sixth Circuit’s decision is attached here and also provides more detail.
Nonetheless, on remand from the Second Circuit, Plaintiff filed a First Amended Complaint and later filed a Second Amended Complaint. Id. In response, the NBA again moved to dismiss the claims under Rule 12(b)(6), this time arguing that (1) pursuant to binding Second Circuit precedent, there was no disclosure of personally identifiable information under the VPPA; and (2) the plaintiff did not allege knowing disclosure. Id. at *3.
The Court’s Opinion
Judge Rochon agreed with the NBA and dismissed Plaintiff’s proposed VPPA class action. Id. at *5. In reaching its decision, the Court applied the Second Circuit’s “ordinary person” standard, which requires plaintiffs to show that the “personally identifiable information” includes information that would permit an “ordinary person” to identify a user’s video-watching habits. Id. at *3.
Under the standard, the Court found that the personally identifiable information would not allow an ordinary person to identify Plaintiff’s video-watching habits, relying on other cases in which the Second Circuit rejected Pixel-based VPPA claims that “mirror” the allegations at issue. Id. at *3, *5; see Soloman v. Flipps Media, Inc., 136 F.4th 41, 44 (2d Cir. 2025) (finding that the complaint did not “plausibly allege that an ordinary person could identify [the plaintiff]” because an ordinary person would not be able to decipher the “c_user” cookie and corresponding string of letters to be a person’s Facebook ID); see also Hughes v. National Football League, 24-2656, 2025 WL 1720295 (2d Cir. June 20, 2025) (rejecting the argument that a user’s Facebook ID could be identified based on lines of computer code because it was not plausible that an ordinary person would conclude that the phrase was a person’s Facebook ID). The Court aligned with other district court rulings in finding the plaintiff’s argument — that a person could use internet-based tools like ChatGPT to understand the code communication — to be unpersuasive, reasoning that the argument was “insufficient to demonstrate that an ordinary person would know what to do with the c_user information to pinpoint an individual’s identity.” Id. at *5. (citing Taino v. Bow Tie Cinemas, LLC, No. 23-CV-0537, 2025 WL 2652730, at *8 (S.D.N.Y. Sept. 16, 2025)).
Although Plaintiff asked the Court not to dismiss the complaint based on the holdings in Soloman and Hughes, claiming the Soloman and Hughes line of precedent was on unstable footing, the Court independently concluded that “[t]here is no basis for this Court to find that the Second Circuit’s decision in Soloman runs afoul of the statutory text of the VPPA, and thus Plaintiff’s reliance on these [alternative] cases does not convince the Court that Soloman is soon to be overruled.” Id. at *4. In other words, “[b]ecause an ordinary person would not plausibly be able to identify Plaintiff’s video-watching habits as a result of the Pixel transmissions, Plaintiff has not plausibly alleged that the NBA disclosed personally identifiable information in violation of the VPPA.” Id. at *5.
Implications For Companies
This case is a success for defendants involved in other putative adtech class actions. Indeed, Salazar is another example of a district court applying a narrow interpretation of “personally identifiable information” under the Second Circuit’s “ordinary person” standard and has broader implications outside of the VPPA to adtech class actions generally.
As a result, if corporate counsel is faced with an adtech class action, based on common-place technology installed on his or her organization’s website, he or she should consider raising these arguments in a motion to dismiss or shortly thereafter, as Salazar and its progeny may prove to be a powerful tool to exit a putative class action early in the litigation..
Duane Morris Takeaway:This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jerry Maatman and Jennifer Riley discussing key highlights in our upcoming webinar: Year-End Review of EEOC Enforcement Litigation and Strategy.
Register and join us for the 30-minute panel on Wednesday, October 22, 2025, from 11:00 a.m. to 11:30 a.m. Central.
Jerry Maatman: Thank you, loyal blog listeners and readers, for being here again to join us for the next episode of our regular podcast series, The Class Action Weekly Wire. I’m Jerry Maatman, a partner at Duane Morris, here with my partner, Jennifer Riley. Welcome.
Jennifer Riley: Great to be here. Thanks, Jerry. Thanks for having me.
Jerry: Today, we’re talking about a special webinar program coming up on Wednesday, October 22, from 11:00 to 11.30 a.m. Central Time. It’s a virtual program that we think our listeners shouldn’t miss. It’s our biannual EEOC developments briefing hosted by Duane Morris.
Jennifer: You’ll hear from me, Jerry, Alex Karasik, and Gregory Tsonis during this 30-minute segment. Heading into fiscal year 2026, we will talk about some significant changes implemented by the Trump administration. Employers’ compliance with federal workplace laws and agency guidance remains a corporate imperative.
Jerry: The theme of our webinar will be a scorecard. How is the EEOC doing? What does their enforcement program look like in terms of our tracking and analyzing all of the lawsuits that have been filed over fiscal year 2025, and what it teaches employers about the priorities of the EEOC’s Strategic Enforcement Program.
Jennifer: That’s right, Jerry. We will be covering a lot of ground in a very short time period, starting with the major shakeups at the EEOC, the EEOC’s new strategic priorities, lawsuit trends, as well as enforcement initiatives.
Jerry: We’ll also dig into the numbers on the scorecard to give our listeners an idea of what the EEOC has focused on in terms of their lawsuit filings around the country.
Jennifer: Whether you are a corporate counsel, an HR director, or a business leader, compliance with EEOC guidelines is essential, and this program will provide some strategies to stay compliant and avoid drawing scrutiny from the agency.
Jerry: So, the watchwords in this webinar will be how to be proactive rather than reactive. So please register for the event, save the date for, our analysis and practical insights on everything about the EEOC and what fiscal year 2026 has in store for companies.
Jennifer: Well, thanks for having me on the podcast today, Jerry, and thanks to the listeners for being here. As always, subscribe to stay updated on the latest trends in class action law, and register for the upcoming webinar on our blog.
Duane Morris Takeaway:This week’s episode of the Class Action Weekly Wire features Duane Morris partner Jerry Maatman and associate Ryan Garippo and Andrew Quay with their discussion of a major settlement in the data breach class action space.
Jerry Maatman: Thank you, loyal blog readers, for being here again for our next episode of our podcast series entitled the Class Action Weekly Wire. I’m Jerry Maatman, a partner with Duane Morris, and joining me today are my colleagues Ryan Garippo and Andrew Quay. Thanks for being here.
Ryan Garippo: Thanks for having me, Jerry. Great to be here.
Andrew Quay: Glad to be here. Thanks, Jerry.
Jerry: Today, we’re going to dive into a ruling granting final settlement approval in litigation entitled In Re Fortra File Transfer Software Data Breach Security Litigation – certainly a mouthful. Ryan, can you give our podcast listeners some background on what this litigation was all about?
Ryan: Yeah, of course, Jerry. This case is one that stems from a massive data breach that occurred a couple years ago, back in January of 2023, linked to the Clop ransomware group, which is a Russian-based operation. They exploited a zero-day vulnerability in Fortra’s GoAnywhere MFT software, which a lot of health and financial institutions use to securely transfer files. As a result, the hackers allegedly used that vulnerability to access and steal the personal health information of at least 5 million people.
Jerry: Were there any organizations that were impacted, or strictly just individuals?
Andrew: There were. The breach also affected about 130 organizations, including big names like Aetna, Community Health Systems, and NationsBenefits, all of which ended up as defendants in the resulting lawsuits.
Jerry: So, for our listeners, this case ended up then in a multidistrict litigation proceeding venued in the U.S. District Court for the Southern District of Florida, is that right?
Ryan: Yeah, that’s right, Jerry. It’s common practice in these data breach cases where, several dozen lawsuits are filed across the country, at least here, two dozen were filed, and they ultimately get consolidated into a multidistrict litigation, which here was in February of 2024, before Judge Rodolfo Ruiz. Plaintiffs’ consolidated complaints allege that the defendants failed to adequately protect their private health information of the plaintiffs and the settlement class from the unauthorized access. They also assert multiple counts of common law and statutory violations, all of which seek relief coming from the same events.
Andrew: And to follow up with Ryan, after the parties settled the claims, Judge Ruiz just issued final approval of a $20 million global settlement, which followed a separate $7 million settlement that was reached earlier in the year with a subclass of plaintiffs who sued another big defendant, Brightline.
Jerry: Let’s talk a little bit about specifics and drill down. What was exactly encompassed within the $20 million settlement?
Ryan: Well, the settlement is a $20 million cash fund to cover class member benefits, attorneys’ fees, and administration costs. However, each member can choose between up to $5,000 in documented losses, or a flat $85 cash payment.
Jerry: What about non-monetary benefits? I understand that those can be determinative in data breach class action settlements.
Andrew: There’s the option for dark web monitoring, except for the Brightline subclass, as those class members had already elected credit monitoring under the earlier settlement. However, the settlement does not constitute any admission of fault or liability by the defendants. That’s standard language in these types of agreements, but it’s worth noting that the court also emphasized this was not a ruling on the validity of the claims or the defenses.
Jerry: What did the judge do with respect to the plaintiffs’ petition for an award of attorney’s fees and costs?
Ryan: Well, the plaintiffs’ attorneys, of course, needed their fees, and he awarded up to 33% of the $20 million, which comes out to $6.67 million for the class counsel. There was also $263,800 in litigation costs separately, so about $2.3 million in attorneys’ fees for the Brightline subclass counsel as well.
Andrew: And just to highlight this, following the settlement several defendants, including Fortra, NationsBenefits, Intellihartx, Imagine360, and Community Health Systems have provided attestations confirming they’ve enhanced their cybersecurity to prevent future breaches.
Jerry: We’ve seen several large and significant class action settlements in the data breach space so far in 2025, including a ruling granting preliminary settlement approval to a $177 million settlement in In Re AT&T Inc. Customer Data Security Breach Litigation. When you measure that against what occurred in Florida, what do you think with respect to the terms being fair, adequate, and reasonable to the settlement class here?
Ryan: Well, the court stated that “despite the risks involved with further litigation, the Settlement provides outstanding benefits, including Cash Payments, Dark Web Monitoring, injunctive relief, for all Settlement Class Members.” in which we just discussed. In light of those factors, the court found the settlement to be “fair, reasonable, and adequate,” and there were no objections filed, which, for a class of this size, is fairly significant. So, it usually means that the settlement terms were both well-structured and negotiated.
Jerry: So, at a 100,000-foot level, what would be the takeaways for corporate counsel with respect to this litigation?
Andrew: Well, it’s highly important for companies to monitor any vulnerabilities and proactively invest in cybersecurity. These attacks can happen fast and get more sophisticated by the day. And for companies holding sensitive data – particularly health data – regulators, plaintiffs’ attorneys, and courts are all watching, so make sure that you are in compliance and engaging in best practice cybersecurity measures.
Jerry: Well, thanks, Ryan and Andrew. These are great insights, and listeners, thanks for joining us today, and appreciate my colleagues breaking down this settlement and what it means for corporate counsel. So please, listeners, join us for future episodes of the Class Action Weekly Wire, and subscribe to stay updated to the latest trends in class action litigation.
Ryan: Thanks for having me on the podcast, Jerry, and as always, thanks to the listeners for joining us.
By Gerald L. Maatman, Jr., Bernadette M. Coyle, and Elizabeth G. Underwood
Duane Morris Takeaways: On September 12, 2025, in EEOC v. Support Center for Child Advocates, No. 2:25-CV-00310, (E.D. Pa. Sept. 12, 2025), Judge John F. Murray of the U.S. District Court for the Eastern District of Pennsylvania denied the EEOC’s second unopposed motion for approval of a consent decree between the EEOC and Support Center for Child Advocates. The Court remained unsatisfied with the lack of information with which the Court could assess the appropriateness of the parties’ agreement.
This ruling demonstrates that approval of an agreed upon consent decree is anything but a guaranteed rubber stamp. Instead, it shows the importance of providing a factual basis and thorough reasoning to justify gaining court approval, even when motions are unopposed.
Case Background
On January 17, 2025, the EEOC, on behalf of charging party Meghan Seitz, filed a lawsuit against Defendant Support Center for Child Advocates regarding allegations of pregnancy discrimination under Title VII of the Civil Rights Act of 1964. (ECF 1.) Specifically, the EEOC alleged that the child advocacy organization discriminated against Ms. Seitz, a former employee with a high-risk pregnancy, when the organization denied Ms. Seitz an accommodation to work remotely during the COVID-19 pandemic. (Id. ¶¶ 21–24.)
On August 15, 2025, the EEOC first moved for approval of the proposed consent decree. (ECF 29.) The motion includes the consent decree as “Exhibit A,” which sets forth the parties’ agreed-upon plan for Support Center for Child Advocates to provide future accommodations to similar employees, adopt an Equal Employment and non-discrimination policy, implement human resources and management personnel training, inform workers about their rights to accommodations, and pay Seitz $30,000, among other provisions. (ECF 29-1.)
The Court denied the EEOC’s initial motion for entry of the consent decree on August 18, 2025. (ECF 30.) The Court reasoned that the motion requested the consent decree be entered “for the reasons stated therein” but included no reasons stated therein. (Id. at 1 n.1.)
The Court opined that it had no way of knowing whether the agreement was appropriate or not. As a solution, the Court invited the parties to either file a stipulated dismissal after agreeing amongst themselves to the terms of the proposed consent decree or refile the motion with additional information.
Most Recent Filings And Order
On September 8, 2025, the EEOC filed a supplemental motion for entry of the consent decree, which provided an overview of the procedural history of the case. (ECF 31.) The EEOC also filed an unopposed memorandum in support of its motion. (ECF 31-1.) In the memorandum, the EEOC further outlined the case history, labeled as the statement of the case, and argued that settlement through a consent decree is a regular and appropriate manner of resolution and that the proposed consent decree satisfies the legal standard for judicial review.
On September 12, 2025, the Court denied the EEOC’s second motion for entry of the consent decree, finding the motion did not provide an adequate factual basis from which the Court could assess the appropriateness of the consent order. (ECF 32.) To resolve this issue, the Court noted that it would be willing to conduct an evidentiary hearing to build a record if the parties were interested. (Id. at 1 n.1.)
Implications For Employers
The Court’s denial of the second motion for entry of the proposed consent decree in EEOC v. Support Center for Child Advocates should serve as a cautionary reminder to litigants that courts will not merely rubber-stamp EEOC consent decrees where a sufficient factual basis justifying approval is not provided to courts.
Litigants must provide courts with more information than mere conclusory statements that the proposed consent decree is fair and reasonable for courts to approve of consent decrees. Otherwise, litigants may find themselves forced to backtrack in the settlement approval process.
